Maryland health system locked out of network by ransomware

HCPRO Website, April 1, 2016

MedStar Health, Maryland’s second largest healthcare provider, is the latest healthcare organization crippled by ransomware, a type of malware that encrypts files with a key hackers withhold for ransom. Staff have been locked out of all network systems and files since March 28 and remain unable to access some electronic files, including electronic health records (EHR), according to an update MedStar released March 31.

The ransomware hit early on March 28 when some users were prevented from logging in, MedStar said in a Facebook post that day. All systems were taken down to prevent the ransomware from spreading. MedStar brought in IT and cybersecurity specialists and contacted the FBI, which launched an investigation, the Baltimore Sun reported.

Sources at MedStar told the Baltimore Sun that hackers are demanding a ransom paid in bitcoins, a type of digital currency that’s difficult to trace, to unlock the encrypted files. The hackers’ terms are a payment of three bitcoins, the equivalent of $1,250, per individual infected computer, or a bulk payment of 45 bitcoins, approximately $18,500, to unlock all of them. However, the hackers’ communication did not make it clear whether separate 45-bitcoin payments would need to be made to unlock each affected network in MedStar’s system.

The demand was made in a ransom note that popped up on employees’ screens and claims that if the ransom is not paid in 10 days, the hackers will remove the key and leave the files permanently encrypted, the Washington Post reported. No ransom has been paid as of press time. Another recent ransomware victim, Hollywood Presbyterian Medical Center in Los Angeles, reportedly paid 40 bitcoins, or $17,000, to regain access to its records before contacting police.

Although MedStar claims that the hackers haven’t accessed any patient or employee data and that patient care has not been affected by the attack, doctors have expressed concerns that the outage means they’ll miss vital information stored only in a patient’s EHR and some patients were turned away, the Baltimore Sun reported. The radiation oncology department at University of Maryland St. Joseph Medical Center, which contracts through MedStar, cancelled appointments after 10 a.m. March 28 and all day March 29. Patients told the Baltimore Sun that the ransomware attack is preventing them from having prescriptions refilled or even locating family members at the hospital.

Although staff are still cobbling together medical records from paper documents and patients are directed to call their physicians’ offices directly to schedule appointments, the system is slowly coming back online, MedStar says.

Ransomware attacks have exploded in the healthcare industry this year. Along with Hollywood Presbyterian, three other U.S. hospitals reported ransomware attacks this month alone. Methodist Hospital in Henderson, Kentucky, Chino Valley Medical Center in Chino, California, and Desert Valley Hospital in Victorville, California, were locked out of systems and received ransom demands. The Los Angeles Department of Health Services discovered remnants of ransomware on five network computers February 24, shortly after the Hollywood Presbyterian attacks, but there was no evidence any systems or files were actually affected, the Los Angeles Times reported.

Unlike other types of cyberattacks in which protected health information (PHI) is clearly accessed, there is currently no requirement under HIPAA to make a formal report to the Office of the National Coordinator of Health IT if PHI is simply locked by ransomware at the point of storage. During a March 22 congressional hearing, lawmakers raised the possibility of modifying HIPAA to require covered entities and business associates to report ransomware attacks that affect PHI.

*MAGNET™, MAGNET RECOGNITION PROGRAM®, and ANCC MAGNET RECOGNITION® are trademarks of the American Nurses Credentialing Center (ANCC). The products and services of HCPro are neither sponsored nor endorsed by the ANCC. The acronym "MRP" is not a trademark of HCPro or its parent company.